You can create
firewall rules to establish Trust Groups and firewall rules to apply to an edge
gateway to protect your virtual machines from outside network traffic.

Note

Advanced
Networking Services includes two types of firewalls—the edge gateway
firewall and the firewall to establish Trust Groups (referred to as a
distributed firewall in the
Advanced
Networking Services Web UI). Configuring the edge gateway firewall is
available for both
Dedicated
Cloud
and
Virtual
Private Cloud subscription services. However, configuring the firewall to
establish Trust Groups is possible only when you have the
vCloud AirDedicated
Cloud
subscription service.

Trust Groups, implemented
through stateful distributed firewalls, isolate and secure each virtual machine
and application down to the Layer 2 level. Configuring Trust Groups effectively
quarantines any external or internal network security compromise, isolating
East-West traffic between virtual machines on the same network segment.
Security policies are centrally managed, inheritable, and nestable, so
networking and security administrators can manage them at scale. Additionally,
once deployed, defined security policies follow the virtual machines or
applications when they move into
vCloud Air.

About Firewall
Rules

Rules defined on the
centralized level are referred to as pre rules. Tenants can then add rules at
an individual edge gateway level, which are referred to as local rules.

Each traffic session is
checked against the top rule in the Firewall table before moving down the
subsequent rules in the table. The first rule in the table that matches the
traffic parameters is enforced. Rules are displayed in the following order:

1

User-defined pre rules
have the highest priority, and are enforced in top-to-bottom ordering with a
per-virtual NIC level precedence.

2

Auto-plumbed rules (rules
that enable control traffic to flow for edge gateway services).